CI Integration Overview
Use Code Pathfinder as part of your CI/CD pipeline to scan your code for vulnerabilities. The code-pathfinder docker image is available on Docker Hub.
Support Matrix
| Provider | Install Method | Native SARIF UI | PR Annotation | Recommended Format |
|---|
| GitHub Actions | Action (action.yml) | Yes (Code Scanning) | Yes (PR comments) | SARIF |
| GitLab CI | Docker image | Yes (Security Dashboard) | Yes (MR widget) | SARIF |
| Azure DevOps | Docker image | Yes (CodeAnalysisLogs) | Partial (artifact) | SARIF |
| Bitbucket Pipelines | Docker image | No (use pipe) | Yes (Reports API) | SARIF |
| Jenkins | Docker agent | No | No (use Warnings NG plugin) | SARIF/JSON |
| CircleCI | Docker executor | No | No | SARIF/JSON |
| Buildkite | Docker plugin | No | No (use annotations) | SARIF/JSON |
| TeamCity | Docker wrapper | No | No | SARIF/JSON |
Canonical Command
All providers use the same CLI invocation — only the wrapper differs:
name: Security Scan
on:
push:
branches: [main]
pull_request:
permissions:
security-events: write
contents: read
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Run Security Scan
uses: shivasurya/code-pathfinder@v1.2.0
with:
ruleset: python/deserialization, docker/security
- name: Upload to GitHub Security
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: pathfinder-results.sarif
See the GitHub Action guide for detailed configuration options.
GitLab CI
See the GitLab CI guide for detailed configuration options.
Bitbucket Pipelines
image: shivasurya/code-pathfinder:stable-latest
pipelines:
pull-requests:
'**':
- step:
name: Code Pathfinder SAST
script:
- pathfinder ci --project . --output-file output.sarif --output sarif --ruleset cpf/java
artifacts:
- output.sarif
default:
- step:
name: Code Pathfinder SAST
script:
- pathfinder ci --project . --output-file output.sarif --output sarif --ruleset cpf/java
artifacts:
- output.sarif
See the Bitbucket Pipelines guide for detailed configuration options.
Jenkins
pipeline {
agent {
docker {
image 'shivasurya/code-pathfinder:stable-latest'
args '-v $WORKSPACE:/workspace -w /workspace'
}
}
stages {
stage('Security Scan') {
steps {
sh '''
pathfinder ci \
--project . \
--ruleset cpf/java \
--output sarif \
--output-file output.sarif \
--fail-on critical,high
'''
}
}
}
post {
always {
archiveArtifacts artifacts: 'output.sarif', allowEmptyArchive: true
}
}
}
version: 2.1
jobs:
code-pathfinder-sast:
docker:
- image: shivasurya/code-pathfinder:stable-latest
steps:
- checkout
- run:
name: Run Code-Pathfinder SAST Scan
command: |
pathfinder ci --project . --output-file output.sarif --output sarif --ruleset cpf/java || true
- store_artifacts:
path: output.sarif
destination: output.sarif
trigger:
- '*'
jobs:
- job: CodePathfinderSAST
pool:
name: 'yourpoolname'
steps:
- script: |
docker run --rm -v $(System.DefaultWorkingDirectory):/workspace -w /workspace shivasurya/code-pathfinder:stable-latest ci --project . --output-file output.sarif --output sarif --ruleset cpf/java
displayName: 'Run SAST Scan with Docker'
- task: PublishBuildArtifacts@1
inputs:
PathtoPublish: 'output.sarif'
ArtifactName: 'SARIF Report'
steps:
- label: ":shield: Code Pathfinder SAST"
plugins:
- docker#v5.12.0:
image: "shivasurya/code-pathfinder:stable-latest"
command:
- "ci"
- "--project"
- "."
- "--ruleset"
- "cpf/java"
- "--output"
- "sarif"
- "--output-file"
- "output.sarif"
- "--fail-on"
- "critical,high"
mount-checkout: true
artifact_paths:
- "output.sarif"
object SecurityScan : BuildType({
name = "Code Pathfinder SAST"
vcs {
root(DslContext.settingsRoot)
}
steps {
dockerCommand {
commandType = other {
subCommand = "run"
commandArgs = """
--rm
-v %teamcity.build.checkoutDir%:/workspace
-w /workspace
shivasurya/code-pathfinder:stable-latest
ci --project . --ruleset cpf/java
--output sarif --output-file output.sarif
--fail-on critical,high
""".trimIndent()
}
}
}
artifactRules = "output.sarif => security-reports"
})